You can write to and read from existing encryption zones, but you cannot create new zones.

Cloudera Navigator Encrypt

You cannot register new Cloudera Navigator Encrypt clients.

You can continue reading and writing encrypted data, including creating new mount points, using existing clients.

Cloudera recommends monitoring both Key Trustee Servers. If a Key Trustee Server fails catastrophically, restore it from backup to a new host with the same hostname and IP address as the
failed host. See Backing Up and Restoring Key Trustee Server and Clients for more information. Cloudera does not support
PostgreSQL promotion to convert a passive Key Trustee Server to an active Key Trustee Server.

For new installations, use the Set up HDFS Data At Rest Encryption wizard and follow the instructions in Enabling HDFS Encryption Using the Wizard. When prompted, make sure that the Enable High Availability option
is selected.

If you already have a Key Trustee Server service, and want to enable high availability, use the Add
Role Instances wizard for the Key Trustee Server service instead to add the Passive Key Trustee Server and Passive Database roles.
Important: You must assign the Key Trustee Server and Database roles to the same host. Assign the Active Key Trustee
Server and Active Database roles to one host, and the Passive Key Trustee Server and Passive Database roles to a separate host.

After completing the Add Role Instances wizard, the Passive Key Trustee Server and Passive Database roles fail to start. Complete the following manual
actions to start these roles:

Replace keytrustee02.example.com with the hostname of the Passive Key Trustee Server.

Run the following command on the Passive Key Trustee Server:

$ sudo ktadmin init

Start the Key Trustee Server service (Key Trustee Server service > Actions >
Start).
Important: Starting or restarting the Key Trustee Server service attempts to start the Active Database and Passive Database roles. If the
Active Database is not running when the Passive Database attempts to start, the Passive Database fails to start. If this occurs, manually restart the Passive Database role after confirming that the
Active Database role is running.

Configuring Key Trustee Server High Availability Using the Command Line

Once you have installed and configured the second Key Trustee Server, initialize the active Key Trustee Server by running the following commands on the active Key Trustee Server host:
Important: For Key Trustee Server 5.4.0 and higher, the ktadmin init-master command is deprecated, and should
not be used. Use the ktadmin init command instead. If you are using SSH software other than OpenSSH, pre-create the SSH key on the active Key Trustee Server before
continuing:

Replace keytrustee01.example.com with the fully qualified domain name (FQDN) of the active Key Trustee Server. Replace
keytrustee02.example.com with the FQDN of the passive Key Trustee Server. Cloudera recommends using the default /var/lib/keytrustee/db directory for the PostgreSQL database.

To use a different port for the database, modify the ktadmin init and ktadmin db commands as follows:

Replace keytrustee02.example.com with the fully qualified domain name (FQDN) of the passive Key Trustee Server. Replace
keytrustee01.example.com with the FQDN of the active Key Trustee Server. Cloudera recommends using the default /var/lib/keytrustee/db directory for the PostgreSQL database.

To use a different port for the database, modify the ktadmin init-slave command as follows:

If you use a database directory other than /var/lib/keytrustee/db, create or edit the /etc/sysconfig/keytrustee-db file
and add the following line:

ARGS="--pg-rootdir /path/to/db"

The ktadmin init-slave command performs an initial database sync by running the pg_basebackup command. The database
directory must be empty for this step to work. For information on performing an incremental backup, see the PostgreSQL documentation.

Note: The /etc/init.d/postgresql script does not work when the PostgreSQL database is started by Key Trustee Server,
and cannot be used to monitor the status of the database. Use /etc/init.d/keytrustee-db instead.

The ktadmin init command generates a self-signed certificate that the Key Trustee Server uses for HTTPS communication. Instructions for using alternate
certificates (for example, if you have obtained certificates from a trusted Certificate Authority) are provided later.

Enable Synchronous Replication

Key Trustee Server high availability requires synchronous replication to ensure that all rows in the database are inserted in at least two hosts, which protects against key loss.

To enable synchronous replication, run the following command on the active Key Trustee Server:

Important: Because clients connect to Key Trustee Server using its fully qualified domain name (FQDN), certificates must be issued to the FQDN
of the Key Trustee Server host. If you are using CA-signed certificates, ensure that the generated certificates use the FQDN, and not the short name.

Recovering a Key Trustee Server

If a Key Trustee Server fails, restore it from backup as soon as possible. If the Key Trustee Server hosts fails completely, make sure that you restore the Key Trustee Server to a new
host with the same hostname and IP address as the failed host.

If this documentation includes code, including but not limited to, code examples, Cloudera makes this available to you under the terms of the Apache License, Version 2.0, including any required
notices. A copy of the Apache License Version 2.0 can be found here.